Top Menu

It’s time to add SSL encryption to your business website – or be left behind

SSL encryption is fast becoming the standard for reputable websites – and it just got cheaper than ever to add it to your website.

The arrival of free secure certificates in 2016 means that websites are switching to secure encryption at a faster rate than ever and it will soon become the standard.

And when that happens, websites that do not use https and SSL will be increasingly disadvantaged.

What is SSL encryption?

SSL stands for Secure Socket Layer, which, as descriptions go, is about as useful to the lay person as an ashtray on a motorbike. Here’s what you actually need to know.

Up to now, most websites use a system (called a protocol) called http to send data between the website and its users. The letters http appear in the address bar of your browser before the web address when you are browsing the site.

Not all attempts to hack into your computer are this obvious

Not all attempts to hack into your computer are this obvious

http sends data down the line in packets, through a long series of routers between website visitors and the web server, and there is a chance that somewhere along the way they are intercepted by criminals, unethical advertisers, governments, or other unsavoury characters.

When you view a website over a secure connection, a protocol called https is used. Again, this can be seen in the address bar, but also a green padlock appears alongside, depending on which browser you use.

Data sent over https is encrypted, and in theory at least, can only be deciphered by the website/user.

To make encryption work, you must get an SSL certificate, which verifies the identity of the website.

What difference does SSL encryption make?

SSL means the connection between the website and its users is scrambled and can’t be intercepted and read by a third party.

It also means the identity of your website is verified. The green padlock in the address bar in modern browsers is an important trust signal.

It’s been common for years on banking sites, for example, but now on every major website you can think of, from Facebook and Twitter, Wikipedia and even Google searches.

As usual, media sites like the BBC and the Guardian are lagging behind, but even they will have to do something soon, because the main web browsers Chrome and Firefox have already announced plans to phase out support for http.

Who needs SSL encryption?

If your website handles personal information in any way, it should be encrypted.

That means every e-commerce website, or any site that handles personal data, but also sites with contact forms.

ssl photoBut SSL also offers advantages for every website, not just those where information is entered.

In 2014 Google announced it would give a search boost to websites with SSL encryption on its Webmaster blog:

They said: “For now it’s only a very lightweight signal — affecting fewer than 1% of global queries, and carrying less weight than other signals such as high-quality content — while we give webmasters time to switch to HTTPS. But over time, we may decide to strengthen it, because we’d like to encourage all website owners to switch from HTTP to HTTPS to keep everyone safe on the web.”

Actually, Google etc are doing a lot more than encouraging us to use https – they are forcing us. But it’s for our own good.

So why switch to SSL now?

Until recently there have been two major stumbling blocks – cost and the impact of SSL on website load times.

SSL was expensive to implement

The major cost is the cost of the certificate itself, which can be anything up to £400, depending on the type of certificate.

Certificate verification is also complex and time-consuming, and then there’s installing the certificate on the web server, and reconfiguring the website to work over SSL.

But that just changed with the arrival of free certificates and a simple registration system, thanks to the Let’s Encrypt project.

Let’s Encrypt is a new non-profit project with the aim of making SSL the default across the web and it’s backed by some big names including Facebook, Google Chrome and Cisco.

After a public trial it launched in April this year and it’s catching on fast. As of June 3, 2016, Let’s Encrypt had issued more than 4 million certificates. At the time of writing, some two weeks later, we’re on nearly 5 million.

The pace of adoption is accelerating.

Graph shows number of Let's Encrypt certificates issued up to the end of June 2016

Graph shows number of Let’s Encrypt certificates issued up to the end of June 2016

SSL slowed websites down

Website load speed is an important factor in usability and search, and SSL adds to that because of the electronic handshake that takes place between the website and the user’s computer.

But since last year a new version of the http system, http/2 was launched. In short, http/2 speeds up websites dramatically, but it can only be used over an encrypted SSL connection. A fuller explanation of http/2 can be found on Wikipedia.

It’s been adopted by many good webhosts including ours, SiteGround, who also support the Let’s Encrypt Project.

Let's Encrypt logoSo now, assuming you are with a good web host, activating SSL will actually speed up your website by allowing it to use http/2.

This means websites using SSL get a double boost to their search rankings – one from SSL and one from reduced loading time.

The time to switch to SSL is now

The two major obstacles to using SSL are gone, and mass adoption is happening NOW.

It’s no longer a case of justifying the cost of switching to SSL – you now need a damned good reason not to do it – hint: There isn’t one

If you have a business website and don’t start at least thinking about SSL now, you are going to be left behind. If you don’t websites make the switch, Google will reward your competitors who have gone secure more and more.

But more than that, websites that don’t use https/SSL will be hit – and soon.

Last year the Mozilla Foundation, which supports the Firefox web browser, declared its intention to phase out http.

They said: “There are two broad elements of this plan:

  1. Setting a date after which all new features will be available only to secure websites
  2. Gradually phasing out access to browser features for non-secure websites, especially features that pose risks to users’ security and privacy.”

So that’s https by default. It may not happen for a while, but it’s on the cards.

What we’re doing at Moghill

We’ve always thought https/SSL to be a good idea, but were held up by those concerns over cost and website speed, so we welcome the arrival of Let’sEncrypt.

Starting with our own website, we have been experimenting with Let’s Encrypt since April, and we’ve also secured a handful of our client sites.

Any new website we build now includes https/SSL, and we’re offering existing clients the chance to upgrade. Over time we are looking to to bring all websites we look after up to the new standard.

To us it’s a no-brainer.

More on SSL

With the right web hosting, it’s relatively straightforward to set up an existing WordPress to work with an SSL certificate.

Here are some resources to help, and some more articles on SSL and search.

 

Photo by Sean MacEntee

 

No comments yet.

What do you think? Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.